Cloud based reputation system for browser extensions and toolbars

ABSTRACT

A method and apparatus for an automated classification rating of browser extensions is provided.

RELATED APPLICATION

This application claims the priority benefit of U.S. ProvisionalApplication 62/059,089 filed Oct. 2, 2014. The disclosure of theabove-referenced application is incorporated herein by reference in itsentirety.

FIELD OF THE INVENTION

The disclosure relates generally to systems and methods for removingmalware, and more particularly, to a cloud based system for assessing areputation for browser extensions and toolbars, and removing browsermalware in accordance with the reputation of a browser extension ortoolbar.

BACKGROUND

The Internet is a worldwide public system of computer networks providinginformation, shopping capabilities and other kinds of businessopportunities accessible to tens of millions of people worldwide. Themost widely used part of the Internet is the World Wide Web, oftenabbreviated “WWW” or simply referred to as just “the web.” The web is anInternet service that organizes information through the use ofhypermedia. The HyperText Markup Language (“HTML”) is typically used tospecify the contents and format of a hypermedia document (e.g., a webpage). Other popular formats to display contents of a web page areJAVA™, the Portable Document Format (PDF), AJAX, Adobe Flash orMicrosoft Silverlight. Hypertext links refer to other documents by theiruniform resource locators (URLs). A client program, known as a browser,e.g. MICROSOFT® INTERNET EXPLORER®, GOOGLE® CHROME®, MOZILLA® FIREFOX®,APPLE® SAFARI®, runs on the user's computer and is used to render thecontent of a web page and display it in human readable form. The browseris also used to follow a link, e.g., send a query to the web server.

Browser extensions are small programs that extend the defaultfunctionality of the browsers. Such extensions can help a user to managehis passwords for the access of different websites that require apassword (single sign on), to block ads or ad tracking services or todisplay the reputation of search results. A browser extension mayprovide a toolbar on the browser user interface.

Browser extensions initially provided useful features or customizationsto browsers. However, browser extensions have been misused in anincreasing scale over the last years. For example, many extensionauthors started to use extensions in order to collect privateinformation or to hijack the browser settings for homepage and searchprovider in order to earn money. Many of these unwanted extensions arenot actively searched for and installed by a user, but instead comebundled with other software a user wants to install and are typicallyoffered as an opt-out to the desired software.

A large number of these undesirable browser extensions come as opt-outoffers bundled together with valuable software and behave in a similarmanner to other known forms of malware, but they come with an end-userlicense agreement (EULA). Therefore it is difficult for a conventionalanti-virus program to flag these bundled applications as malware.

BRIEF DESCRIPTION OF THE DRAWINGS

For a better understanding of the inventive subject matter, referencemay be made to the accompanying drawings in which:

FIG. 1 is a block diagram of a system including client and backendsystems for analyzing browser extensions according to embodiments.

FIG. 2 is a block diagram illustrating an example scoring system used tosuggest a rating for a browser extension according to embodiments.

FIG. 3 is a flowchart illustrating example operations for a method forrating a browser extension according embodiments.

FIG. 4 provides an example user interface according to embodiments.

FIG. 5 is a block diagram of an example embodiment of a computer systemupon which embodiments of the inventive subject matter can execute.

DETAILED DESCRIPTION

In the following detailed description of example embodiments of theinvention, reference is made to the accompanying drawings that form apart hereof, and in which is shown by way of illustration specificexample embodiments in which the invention may be practiced. Theseembodiments are described in sufficient detail to enable those skilledin the art to practice the inventive subject matter, and it is to beunderstood that other embodiments may be utilized and that logical,mechanical, electrical and other changes may be made without departingfrom the scope of the inventive subject matter.

Some portions of the detailed descriptions which follow are presented interms of algorithms and symbolic representations of operations on databits within a computer memory. These algorithmic descriptions andrepresentations are the ways used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm is here, and generally,conceived to be a self-consistent sequence of steps leading to a desiredresult. The steps are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take theform of electrical or magnetic signals capable of being stored,transferred, combined, compared, and otherwise manipulated. It hasproven convenient at times, principally for reasons of common usage, torefer to these signals as bits, values, elements, symbols, characters,terms, numbers, or the like. It should be borne in mind, however, thatall of these and similar terms are to be associated with the appropriatephysical quantities and are merely convenient labels applied to thesequantities. Unless specifically stated otherwise as apparent from thefollowing discussions, terms such as “processing” or “computing” or“calculating” or “determining” or “displaying” or the like, refer to theaction and processes of a computer system, or similar computing device,that manipulates and transforms data represented as physical (e.g.,electronic) quantities within the computer system's registers andmemories into other data similarly represented as physical quantitieswithin the computer system memories or registers or other suchinformation storage, transmission or display devices.

In the Figures, the same reference number is used throughout to refer toan identical component that appears in multiple Figures. Signals andconnections may be referred to by the same reference number or label,and the actual meaning will be clear from its use in the context of thedescription. In general, the first digit(s) of the reference number fora given item or part of the invention should correspond to the Figurenumber in which the item or part is first identified.

The description of the various embodiments is to be construed asexamples only and does not describe every possible instance of theinventive subject matter. Numerous alternatives could be implemented,using combinations of current or future technologies, which would stillfall within the scope of the claims. The following detailed descriptionis, therefore, not to be taken in a limiting sense, and the scope of theinventive subject matter is defined only by the appended claims.

The disclosure includes systems and methods to detect browserhijackings. The disclosed embodiments can track the behavior of a largenumber of users in order to determine the reputation of browserextensions such as toolbars. Some embodiments combine variouscharacteristics of different extensions or toolbars for comparison inorder to group the extensions or toolbars into families. This can bedesirable because some of the extensions or toolbars can be polymorphiclike typical malware (i.e., they are modified to appear as differentsamples after each few installations) or use well known brand names like“facebook” or “ebay” in order to avoid a removal by the user.

FIG. 1 is a block diagram of a system 100 including client and backendsystems for analyzing browser extensions and toolbars according toembodiments. In some aspects, the system 100 includes a client computer105 and a cloud system 120. The client computer 105 can be a typicalcomputer running a Microsoft Windows, Apple Macintosh or any otheroperating system. The computer can have one or more different browsers.Examples of such browsers may include Microsoft Internet Explorer,Google Chrome, Mozilla FireFox, Apple Safari etc. The embodiments arenot limited to any particular type or brand of browser. Client computer105 may include a client application 150, which can include a scheduler101, a browser extension detector (e.g. detector 102 and 103), a cachingmodule 110, a cloud verifier 111 and user notifier 112. It should benoted that any or all of the scheduler 101, the browser extensiondetector 102, the browser extension detector 103, caching module 110,the cloud verifier 111 and the user notifier 112 may be a routine withinclient application 150, a thread associated with a process forapplication 150, or they may be provided as a separate program forexecution with client application 150.

The client application 150 can be either installed on a computer 105 ofan end users or it can be run on a one time basis (for example,downloaded from a web site to a temporary location on the computer 105and run). When installed a scheduler module 101 can be used to start theapplication in adjustable time intervals, e.g. each day, each hour, oneach start of a supported browser etc. The scheduler module 101 cancause the browser extension detection modules 102, 103 . . . (one moduleper supported browser) to run in order to collect information aboutinstalled browser extensions on client computer 105. Such informationcan consist of an ID of the extension, the author, the name, the rightsthe extension asks for, the type of the extension, digital signaturesused by the extension, a manifest file for the extension and variousother information that can be collected. Such information may varybetween different browser types. Different browser extension detectors102, 103 may be installed depending on the type of browsers installed ona system.

After the browser extension detection modules have collectedinformation, the collected information can be compared againstpreviously collected information stored in the caching module 110. Thecaching module 110 can be used to reduce the amount of requests to aserver or servers on the backend cloud system 120. If no changes sincethe last scan are detected, then in some aspects, client application 150doesn't request reputation data from the cloud system 120 unless thecache interval is reached. If either a new and so far unrated extensionis detected or if the cache interval has expired, then clientapplication 105 can establish a connection through the Internet to thecloud system 120. The client verification module 111 can then request arating for installed browser extensions.

The cloud system 120 can include a request caching module 121. Therequest caching module, in some implementations, can access an extensiondatabase 123 which contains information about a given browser extension.Examples of such information that may be maintained in extensiondatabase 123 can include combinations of one or more of an extension ID,author information regarding the extension that can be collected by thebrowser extension detection modules 102, 103, and statisticalinformation like the “first seen” date, an installation counter or aremoval counter and a rating that is described below with respect toFIG. 2. The extension database 123 can also contain a collected sampleof the binary file of a browser extension. In addition to extensiondatabase 123, request caching module 121 can access user database 122.User database 122 can include records for individual users of thesystem. The user database 122 can be used to build a history for eachclient. User database 122 can store information for individual installedbrowser extensions, the settings for homepage and search provider andthe default browser. Information stored in the user database 122 can beused by the scoring system described below with reference to FIG. 2. Foreach found browser extension, the cloud system 120 can provide areputation score. In some implementations, if the reputation score isbelow a trigger value, the user notification module 112 can notify theuser that a potentially harmful extension has been detected and canoffer to remove the identified browser extension using a user interface,an example of which is shown in FIG. 4.

FIG. 1 and the description above have been provided in the context ofcloud system 120 providing certain functionality. Alternativeimplementations may provide the functionality described above indifferent ways. For example, in some aspects, the functionality of cloudsystem 120 may be provided in a server such as an enterprise server (notshown). Information provided to an enterprise server may compriseinformation from computers within an enterprise and thus may be morelimited than that available to cloud system 120. In alternative aspects,a multi-tiered system may be used in which an enterprise server receivesinformation about computers within the enterprise and may also receivestatistical information from cloud system 120. In this case, theenterprise system can prevent information regarding enterprise employeesfrom being sent to the cloud system, but can receive the benefit of thestatistical analysis of a larger population that can be provided bycloud system 120.

FIG. 2 is a block diagram illustrating an example scoring system 200used to suggest a rating for a particular browser extension according toaspects of the inventive subject matter. The extension scoring system200 can provide ratings for reported browser extensions. The initialscoring for a browser extension that has not been analyzed before candone by the initial scoring module 201. In some aspects, the initialscoring can be determined based on statistical methods and the use ofone or more white-lists and black-lists. If the extension doesn't fallinto a given list, the initial scoring module 201 can request an uploadof the binary files and the starting environment (e.g., the installedWindows drivers and services, autorun files, autostarted files etc.)associated with the extension. Once these files are collected, the codeanalyzer 206 can extract various information items regarding theextension. In some aspects, the information can be represented as“flags” that can be used to determine an initial rating. Such flags caninclude combinations of one or more attributes of the extension, such as“injects into pages”, “redirect URLs” or “communicates with host X”. Theextracted flags can be stored in the extension database 123 (FIG. 1). Inthe case of a newly found extension, attributes of the newly foundextension can be compared with attributes of previously analyzedextension. For example, assume that an extension has attribute“communicates with host stolendata.org” and that there are another 95extensions communicating with the same host and all 95 known extensionshave a poor reputation. The initial scoring module 201 can assign a poorrating to the newly found extension. Further, if the initial scoringmodule finds a digital signature of “GoodCompany” in the new extensionand there are 9 other extensions with the same flag or attribute and allhave a good reputation, the initial reputation can be set to a goodrating in some aspects. A rating can be a numerical value (e.g., 1-100),a letter grade, or some other value that can be used to assign a rating.

The re-installation checker 202 can follow client computers where a userhas removed a poorly rated browser extension due to a recommendationprovided by the system. If the same user installs the same browserextension again manually, the re-installation checker 202 can increasethe score of the given browser extension.

The similitude analyzer 203 can actively search the extension database123 for browser extensions that behave in a similar manner or thatbelong to the same family (e.g., same malware family). In some aspects,similarity can be detected by analyzing the host or hosts that theextension communicates with. This can be a useful analysis because theextension can be polymorphic with thousands or even millions ofvariants, but the number of registered DNS names or IP-addresses used bythe extension authors is typically much more limited. The similitudeanalyzer 203 can use these limitations as well as other indicators ofsimilarity, such as coding styles (e.g., the names of variables) insidethe binary files to identify browser extensions that malware authors tryto hide using polymorphism. Code analyzer 206 can be used to determinecoding style attributes.

The payload analyzer 204 investigates the payload of a given browserextension to determine a behavior of the extension. In some aspects, thepayload analyzer 204 determines if the extension is intended by theauthors of the extension to obtain revenue in ways that are not obviousto, or approved by, the end user or are not the primary use of thebrowser extension. Examples of such behaviors include ad injection, userprofiling, and affiliate hacking, each of which are further describedbelow.

Ad Injection

The type of browser extension places ads into 3rd party webpages, forexample, as popup or pop-under ads when certain webpages are opened. Inaddition, this type of browser extension may replace existing ads meantto appear on webpages with others that are used to earn money for thebrowser extension author.

The payload analyzer 204 can search for known methods of ad injectionand it can collect the websites that are targeted. For example, thepayload analyzer 204 can determine that a certain browser extension isplacing additional ads when particular websites (e.g., www.amazon.com orwww.ebay.com) are opened in the browser.

User Profiling

This type of browser extension can create user profiles by tracking theweb pages visited by a user and the click behavior of the user on theweb page. Additionally, this type of browser extension may access auser's profile on a social media site (e.g., Facebook®, Linkedin® or thelike) or other site that has a user profile. The data collected by thebrowser extension is then typically sold by the authors of the browserextension. The payload analyzer can analyze the payload data todetermine the monitored actions and the network addresses of the backendservers that the extension communicates with and that are collecting thedata.

Affiliate Hijacking

Many online stores run affiliate campaigns. An affiliate campaign can beused to provide a revenue-share model for content providers that are“partners” with the affiliate campaign. Typically each partner receivesa unique ID that is used to track the revenue created by each partner.An affiliate hijacker browser extension can actively search for siteswhere they have an affiliate ID and place that affiliate ID wheneverthere is otherwise no ID or an ID of another provider. The payloadanalyzer 204 can determine the monitored sites and the server addressesof any backend systems that provide control data for the extension.

Various detection methods can use various technologies to analyze thebrowser extension to determine whether the extension fits one of theabove-described extension types or behaviors. For example, the payloadanalyzer 204 can analyze the browser extension binary code (e.g.searching for URLs, HTML specific code or other signatures). Further,the payload analyzer can run the browser extension in a virtualizedenvironment (e.g., a sandbox) after the browser extension has beenuploaded to the cloud system 120. Still further, a manual analysis by anengineer can be performed to determine the browser extension type.

The Search Hijack Checker 205 can determine whether a browser extensionis bundled with a hijacking of the settings for homepage and/or searchprovider of a browser. This is often the case with browser extensionsthat are rated with a value indicating the extension has a poorreputation. Search hijack checker 205 can check the user database 122for entries where the given browser extension has been added and thencan compare the settings for the homepage and search provider before theextension has been added and after the extension has been added. If astatistically relevant number of clients reported a change of the searchor homepage settings, then the host that is set as the home page orsearch provider together with the browser extension can be stored asflag or attribute in the extension database 123 and the scoring for thebrowser extension can be decreased.

FIG. 3 is a flowchart 300 illustrating example operations for a methodfor rating a browser extension according embodiments. At block 302, asystem maintains a database of information associated with browserextensions. For example, an extension database 123 as described abovecan be maintained.

At block 304, information on a browser extension is received. Theinformation can be received in response to a browser being installed ona computer. Alternatively, the information can be received in responseto a scan of a computer for browser extensions. The information caninclude an extension identifier, an author for the extension, URLsreferenced by the extension etc.

At block 306, a check is made to determine if the browser extension isin the already in a set of browser extensions that have been rated. Forexample an extension ID can be used to determine if the browserextension is already in the database.

If the check at block 306 determines that the browser extension is inthe set of browser extensions already in the database, then the methodproceeds to block 312. If the browser extension is not already in thedatabase, then the method proceeds to block 308.

At block 308, attributes of the browser extension being analyzed arecompared to attributes of browser extensions in the database todetermine similarity between the browser extension being analyzed andpreviously rated browser extensions. As indicated above, the attributesthat are compared may be URLs referenced in or by the extensions,authors of the extensions, network addresses used by the extensions etc.

At block 310, a rating can be determined for the extension beinganalyzed based on the similarity of its attributes with the attributesof previously rated browser extensions.

If there are no extensions that have attributes similar to the browserextension being analyzed, the as noted above, the method can request anupload of the binary files and the starting environment (e.g., theinstalled Windows drivers and services, autorun files, autostarted filesetc.). The requested information can be analyzed and various attributesdetermined from the extension and requested information. Such attributesinclude one or more attributes of data indicating the extensions“injects into pages”, “redirect URLs” or “communicates with host ‘X’”.

At block 312 the rating of the browser extension being analyzed is usedto determine if the browser extension is disreputable (i.e., it islikely malware).

If the check at block 312 determines that the browser extension beinganalyzed has a rating that indicates it is not likely to be malware,then the method terminates.

If the check at block 312 indicates that the browser extension isdisreputable, (i.e., it is likely to be malware), then at block 314, theuser is notified and can be provided the option to remove the browserextension.

FIG. 4 illustrates an example user interface 400 notifying the user of adisreputable browser extension, and providing the option for the user toremove the browser extension via a button 402. It will be appreciatedthat alternative user interface elements could be used to notify andprovide an option to remove a disreputable browser extension.

Returning to FIG. 3, at a point in time after removal of a browserextension according to the above-described operations, at block 316, asystem executing the method may check to determine if the userreinstalled the browser extension. If the user did reinstall the browserextension, a rating of the browser extension may be increased on theassumption that if a user chooses to reinstall a browser extension, itis less likely that the browser extension is disreputable.

FIG. 5 is a block diagram of an example embodiment of a computer system500 upon which embodiments of the inventive subject matter can execute.The description of FIG. 5 is intended to provide a brief, generaldescription of suitable computer hardware and a suitable computingenvironment in conjunction with which the invention may be implemented.In some embodiments, the inventive subject matter is described in thegeneral context of computer-executable instructions, such as programmodules, being executed by a computer. Generally, program modulesinclude routines, programs, objects, components, data structures, etc.,that perform particular tasks or implement particular abstract datatypes.

As noted above, the system as disclosed herein can be spread across manyphysical hosts. Therefore, many systems and sub-systems of FIG. 5 can beinvolved in implementing the inventive subject matter disclosed herein.

Moreover, those skilled in the art will appreciate that the inventionmay be practiced with other computer system configurations, includinghand-held devices, multiprocessor systems, microprocessor-based orprogrammable consumer electronics, network PCS, minicomputers, mainframecomputers, and the like. Embodiments of the invention may also bepracticed in distributed computer environments where tasks are performedby I/O remote processing devices that are linked through acommunications network. In a distributed computing environment, programmodules may be located in both local and remote memory storage devices.

In the embodiment shown in FIG. 5, a hardware and operating environmentis provided that is applicable to both servers and/or remote clients.

With reference to FIG. 5, an example embodiment extends to a machine inthe example form of a computer system 500 within which instructions forcausing the machine to perform any one or more of the methodologiesdiscussed herein may be executed. In alternative example embodiments,the machine operates as a standalone device or may be connected (e.g.,networked) to other machines. In a networked deployment, the machine mayoperate in the capacity of a server or a client machine in server-clientnetwork environment, or as a peer machine in a peer-to-peer (ordistributed) network environment. Further, while only a single machineis illustrated, the term “machine” shall also be taken to include anycollection of machines that individually or jointly execute a set (ormultiple sets) of instructions to perform any one or more of themethodologies discussed herein.

The example computer system 500 may include a processor 502 (e.g., acentral processing unit (CPU), a graphics processing unit (GPU) orboth), a main memory 504 and a static memory 506, which communicate witheach other via a bus 508. The computer system 500 may further include avideo display unit 510 (e.g., a liquid crystal display (LCD) or acathode ray tube (CRT)). In example embodiments, the computer system 500also includes one or more of an alpha-numeric input device 512 (e.g., akeyboard), a user interface (UI) navigation device or cursor controldevice 514 (e.g., a mouse), a disk drive unit 516, a signal generationdevice 518 (e.g., a speaker), and a network interface device 520.

The disk drive unit 516 includes a machine-readable medium 522 on whichis stored one or more sets of instructions 524 and data structures(e.g., software instructions) embodying or used by any one or more ofthe methodologies or functions described herein. The instructions 524may also reside, completely or at least partially, within the mainmemory 504 or within the processor 502 during execution thereof by thecomputer system 500, the main memory 504 and the processor 502 alsoconstituting machine-readable media.

While the machine-readable medium 522 is shown in an example embodimentto be a single medium, the term “machine-readable medium” may include asingle medium or multiple media (e.g., a centralized or distributeddatabase, or associated caches and servers) that store the one or moreinstructions. The term “machine-readable medium” shall also be taken toinclude any tangible medium that is capable of storing, encoding, orcarrying instructions for execution by the machine and that cause themachine to perform any one or more of the methodologies of embodimentsof the present invention, or that is capable of storing, encoding, orcarrying data structures used by or associated with such instructions.The term “machine-readable storage medium” shall accordingly be taken toinclude, but not be limited to, solid-state memories and optical andmagnetic media that can store information in a non-transitory manner,i.e., media that is able to store information. Specific examples ofmachine-readable media include non-volatile memory, including by way ofexample semiconductor memory devices (e.g., Erasable ProgrammableRead-Only Memory (EPROM), Electrically Erasable Programmable Read-OnlyMemory (EEPROM), and flash memory devices); magnetic disks such asinternal hard disks and removable disks; magneto-optical disks; andCD-ROM and DVD-ROM disks.

The instructions 524 may further be transmitted or received over acommunications network 526 using a signal transmission medium via thenetwork interface device 520 and utilizing any one of a number ofwell-known transfer protocols (e.g., FTP, HTTP). Examples ofcommunication networks include a local area network (LAN), a wide areanetwork (WAN), the Internet, mobile telephone networks, Plain OldTelephone (POTS) networks, and wireless data networks (e.g., WiFi andWiMax networks). The term “machine-readable signal medium” shall betaken to include any transitory intangible medium that is capable ofstoring, encoding, or carrying instructions for execution by themachine, and includes digital or analog communications signals or otherintangible medium to facilitate communication of such software.

Although an overview of the inventive subject matter has been describedwith reference to specific example embodiments, various modificationsand changes may be made to these embodiments without departing from thebroader spirit and scope of embodiments of the present invention. Suchembodiments of the inventive subject matter may be referred to herein,individually or collectively, by the term “invention” merely forconvenience and without intending to voluntarily limit the scope of thisapplication to any single invention or inventive concept if more thanone is, in fact, disclosed.

As is evident from the foregoing description, certain aspects of theinventive subject matter are not limited by the particular details ofthe examples illustrated herein, and it is therefore contemplated thatother modifications and applications, or equivalents thereof, will occurto those skilled in the art. It is accordingly intended that the claimsshall cover all such modifications and applications that do not departfrom the spirit and scope of the inventive subject matter. Therefore, itis manifestly intended that this inventive subject matter be limitedonly by the following claims and equivalents thereof.

The Abstract is provided to comply with 37 C.F.R. §1.72(b) to allow thereader to quickly ascertain the nature and gist of the technicaldisclosure. The Abstract is submitted with the understanding that itwill not be used to limit the scope of the claims.

What is claimed is:
 1. A method comprising: receiving into a machinereadable medium an indication that a browser extension has beeninstalled; collecting, by one or more processors, first informationassociated with the browser extension; in response to determining thatthe browser extension does not have a rating, comparing, by the one ormore processors, the information associated with the browser extensionwith second information associated with one or more previously ratedbrowser extensions, and determining, by the one or more processors, arating for the browser extension in accordance with the comparing. 2.The method of claim 1, wherein collecting first information includescollecting one or more of an extension identifier, an extension author,and a uniform resource locator (URL) in the extension.
 3. The method ofclaim 2, wherein determining that the browser extension does not have arating comprising determining whether the browser extension has the sameextension identifier as any of the one or more previously rated browserextensions.
 4. The method of claim 1, wherein the browser extensioncomprises a toolbar extension.
 5. The method of claim 1, whereincomparing the information associated with the browser extension includescomparing a URL associated with the extension with one or more URLsassociated with the previously rated browser extensions.
 6. The methodof claim 1, further comprising: determining whether the browserextension was reinstalled after having been removed; and increasing therating for the browser extension in response to determining that thebrowser extension was reinstalled.
 7. The method of claim 1, whereindetermining the rating for the browser extension includes determiningthe rating according to statistical information for the at least one ofthe one or more previously rated browser extensions.
 8. The method ofclaim 1, wherein comparing information associated with the browserextension with second information associated with one or more previouslyrated browser extensions includes determining whether the browserextension contains a reference to a same URL as one of the previouslyrated browser extensions.
 9. The method of claim 1, wherein comparinginformation associated with the browser extension includes determiningif the browser extension includes one or more of the same variable namesas one of the previously rated browser extensions.
 10. The method ofclaim 1, further comprising determining if the browser extensionperforms one or more of ad injection, user profiling, or affiliatehijacking.
 11. A system comprising: one or more processors; and amachine-readable medium having stored thereon machine executableinstructions that, when executed, cause the one or more processors to:receive an indication that a browser extension has been installed,collect first information associated with the browser extension, inresponse to a determination that the browser extension does not have arating, compare the information associated with the browser extensionwith second information associated with one or more previously ratedbrowser extensions, and determine a rating for the browser extension inaccordance with the comparison.
 12. The system of claim 11, wherein thefirst information includes one or more of an extension identifier, anextension author, and a uniform resource locator (URL) in the extension.13. The system of claim 12, wherein the determination that the browserextension does not have a rating comprises a determination that thebrowser extension does not have the same extension identifier as any ofthe one or more previously rated browser extensions.
 14. The system ofclaim 11, wherein the browser extension comprises a toolbar extension.15. The system of claim 11, wherein the machine executable instructionsto compare the information associated with the browser extension includemachine executable instructions to compare a URL associated with theextension with one or more URLs associated with the previously ratedbrowser extensions.
 16. The system of claim 11, wherein the machineexecutable instructions further include instructions to: determinewhether the browser extension was reinstalled after having been removed;and increase the rating for the browser extension in response to adetermination that the browser extension was reinstalled.
 17. The systemof claim 11, wherein the machine executable instructions to determinethe rating for the browser extension include machine executableinstructions to determine the rating according to statisticalinformation for the at least one of the one or more previously ratedbrowser extensions.
 18. The system of claim 11, wherein the machineexecutable instructions to compare information associated with thebrowser extension with second information associated with one or morepreviously rated browser extensions include machine executableinstructions to determine whether the browser extension contains areference to a same URL as one of the previously rated browserextensions.
 19. The system of claim 11, wherein the machine executableinstructions to compare information associated with the browserextension include machine executable instructions to determine if thebrowser extension includes one or more of the same variable names as oneof the previously rated browser extensions.
 20. The system of claim 11,wherein the machine executable instructions further include instructionsto determine if the browser extension performs one or more of adinjection, user profiling, or affiliate hijacking.
 21. Amachine-readable medium having stored thereon machine executableinstructions that, when executed, cause one or more processors to:receive an indication that a browser extension has been installed,collect first information associated with the browser extension, inresponse to a determination that the browser extension does not have arating, compare the information associated with the browser extensionwith second information associated with one or more previously ratedbrowser extensions, and determine a rating for the browser extension inaccordance with the comparison.
 22. The machine-readable medium of claim21, wherein the first information includes one or more of an extensionidentifier, an extension author, and a uniform resource locator (URL) inthe extension.
 23. The machine-readable medium of claim 22, wherein thedetermination that the browser extension does not have a ratingcomprises a determination that the browser extension does not have thesame extension identifier as any of the one or more previously ratedbrowser extensions.
 24. The machine-readable medium of claim 21, whereinthe browser extension comprises a toolbar extension.
 25. Themachine-readable medium of claim 21, wherein the machine executableinstructions to compare the information associated with the browserextension include machine executable instructions to compare a URLassociated with the extension with one or more URLs associated with thepreviously rated browser extensions.
 26. The machine-readable medium ofclaim 21, wherein the machine executable instructions further includeinstructions to: determine whether the browser extension was reinstalledafter having been removed; and increase the rating for the browserextension in response to a determination that the browser extension wasreinstalled.
 27. The machine-readable medium of claim 21, wherein themachine executable instructions to determine the rating for the browserextension include machine executable instructions to determine therating according to statistical information for the at least one of theone or more previously rated browser extensions.
 28. Themachine-readable medium of claim 21, wherein the machine executableinstructions to compare information associated with the browserextension with second information associated with one or more previouslyrated browser extensions include machine executable instructions todetermine whether the browser extension contains a reference to a sameURL as one of the previously rated browser extensions.
 29. Themachine-readable medium of claim 21, wherein the machine executableinstructions to compare information associated with the browserextension include machine executable instructions to determine if thebrowser extension includes one or more of the same variable names as oneof the previously rated browser extensions.
 30. The machine-readablemedium of claim 21, wherein the machine executable instructions furtherinclude instructions to determine if the browser extension performs oneor more of ad injection, user profiling, or affiliate hijacking.